JP2010141620A - Communications apparatus, server apparatus, communications method, and communications program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a communications technique by which a combination of each encryption piece distributed in a content distribution system becomes unique every for a communications apparatus, and which is capable of improving degree of freedom when structuring the system. <P>SOLUTION: A communications apparatus has: a piece receiving section that receives a first encryption piece which is a piece encrypted by a first encryption key allocated to the other nodes 50 and 51, and first apparatus identification information for identifying the other nodes 50 and 51; a unique information storage that stores an allocated second encryption key; a piece encryption section that generates a second encryption piece obtained by further encrypting the first encryption piece using the second encryption key; and a data transmitter that transmits the second encryption piece, the first apparatus identification information, and second apparatus identification information for identifying the self apparatus. <P>COPYRIGHT: (C)2010,JPO&INPIT

Description

  The present invention relates to a communication device, a server device, a communication method, and a communication program.

  For example, a distribution method that distributes data using P2P (peer to peer) (referred to as P2P distribution) does not require a data distribution server having a huge storage and a large communication band, and is a distribution method with a large cost merit. is there. Further, since a node receiving data distribution is expected to supply data from a plurality of nodes, high-speed data acquisition utilizing the bandwidth in download and upload is expected. As described above, the P2P data distribution has a great merit, but on the other hand, there is anxiety in safety from the viewpoint of data security such as copyright protection. The following is assumed as a general premise in considering data security such as copyright protection as well as P2P distribution. All terminal devices or nodes are not hacked. If this premise is denied, the terminal device cannot hold data that should be kept secret or perform processing that should be kept secret, and most security techniques and devices for ensuring security cannot be established.

  In P2P distribution, there is a content distribution system that distributes encrypted data, and a node that receives the data distribution acquires a decryption key for decrypting the data (distributed data). A major problem in data security in P2P distribution of such a system is that the combination of distribution data and a decryption key for decrypting the distribution data is single or small in number. In this case, it is assumed that a certain node is hacked and the decryption key is exposed. In this case, this decryption key can be used to decrypt most distribution data. One method for solving this problem is to individualize distribution data for each node.

  As a technique for individualizing distribution data for each node in P2P distribution, for example, a Marking method disclosed in Patent Document 1 is known. In this method, distribution data is divided into pieces, and encrypted with a key matrix to generate an encrypted piece. As a result, a piece group consisting of encrypted pieces encrypted in a matrix is generated. And such a piece group is distributed via a P2P network. One node connected to the P2P network acquires one encrypted piece from among a plurality of encrypted pieces encrypted in a matrix for each piece. As a result, it is expected that the combination of encrypted pieces obtained by encrypting each piece constituting the distribution data is statistically unique for each node.

USP 7165050

  However, in the technique of the above-mentioned Patent Document 1, it is only statistically expected that the combination of encrypted pieces is unique for each node. In order to realize the unique combination of the encrypted pieces for each node, for example, the following two methods are conceivable. One method is to devise a method for distributing encrypted pieces. One is a method in which a key server holding a decryption key for decrypting each encrypted piece restricts delivery of the decryption key. For example, in order to decrypt a distributed piece group, there is a system in which a node reports a combination of encrypted pieces to a key server and obtains a decryption key. In this system, in order to prevent a replay attack due to redistribution of the decryption key, there is a method in which the key server rejects a combination of the already obtained decryption key and an encrypted piece with many duplicates. However, either method may significantly reduce the distribution efficiency of the encrypted piece from time to time, and may not be able to take full advantage of the P2P network. In the former method, the independence of the data protection and the data distribution method is lost, which may be a major limitation in system construction. In addition, in a system in which a node obtains a decryption key from a key server regardless of whether or not each encryption piece combination is reported to the key server, it is more efficient that the amount of data transmitted from the key server is smaller. Yes, desirable.

  The present invention has been made in view of the above, and it is possible to make each combination of encrypted pieces distributed in the content distribution system unique for each communication device, and to increase the degree of freedom in system construction. An object is to provide a communication device, a server device, a communication method, and a communication program that can be improved.

  In order to solve the above-described problems and achieve the object, an embodiment of the present invention is a communication device that encrypts and transmits a piece that is a part of data, and is a communication device that is assigned to another communication device. Receiving means for receiving a first encrypted piece encrypted with one encryption key; first device identification information for identifying the other communication device; and a second cipher assigned to the communication device Storage means for storing a key; encryption means for generating a second encrypted piece obtained by further encrypting the first encrypted piece using the second encryption key; the second encrypted piece; Transmission means for transmitting one device identification information and second device identification information for identifying the communication device.

  Moreover, one Embodiment of this invention is the method and program which can be performed with the said apparatus.

  Further, an embodiment of the present invention is a key request for requesting a decryption key for decrypting an encrypted piece that is an encrypted piece, wherein the communication device mediates delivery of the encrypted piece. Receiving means for receiving the key request including apparatus identification information from the communication apparatus; key generating means for generating the decryption key using each of the apparatus identification information included in the key request; and the generated decryption key Transmitting means for transmitting to the communication device that transmitted the key request.

  Moreover, one Embodiment of this invention is a program which can be performed with the said apparatus.

  ADVANTAGE OF THE INVENTION According to this invention, it becomes possible to make the combination of each encryption piece delivered in a content delivery system unique for every communication apparatus, and the communication apparatus which can improve the freedom degree in system construction, a server apparatus, The communication method and the communication program can be provided.

  Exemplary embodiments of a communication device, a server device, a communication method, and a communication program according to the present invention will be explained below in detail with reference to the accompanying drawings.

[First embodiment]
(1) Configuration <Configuration of content distribution system>
FIG. 1 is a diagram showing a configuration of a data distribution system according to the present embodiment. In the data distribution system according to the present embodiment, a plurality of nodes 50, 51A to 51B are connected via a P2P network NT. Although not shown, other nodes can also be connected via the P2P network NT. Each node 50, 51 </ b> A to 51 </ b> B is connected to the key server 53. Each node 50, 51A to 51B holds a node ID, which is device identification information uniquely assigned to each node, and a public key as assignment information uniquely assigned to each node. The node ID assigned to each node 50,51A~51B each as ID # 0, ID # 1, ID # 2, each public key and _{y 0, y 1, y 2} . Of the nodes 50 and 51A to 51B, the node 50 is a distribution start node serving as a data distribution base, and holds data to be distributed (referred to as distribution data). The distribution data may be plain text or may be already encrypted cipher text. For example, the distribution data may be video data protected by some DRM (Digital Right Management) System as encryption. The key server 53 holds secret keys x ₀ , x ₁ , and x ₂ corresponding to the public keys respectively assigned to the nodes 50 and 51A to 51B as secret information. Hereinafter, when it is not necessary to distinguish the nodes 51A to 51B, they are simply referred to as the node 51.

  Here, the hardware configuration of each device including the nodes 50 and 51 and the key server 53 will be described. Each device is a control device such as a CPU (Central Processing Unit) that controls the entire device, a storage device such as a ROM (Read Only Memory) or a RAM (Random Access Memory) that stores various data and various programs, and a variety of devices. It has an external storage device such as an HDD (Hard Disk Drive) or CD (Compact Disk) drive device that stores data and various programs, and a bus that connects them, and has a hardware configuration that uses a normal computer. ing. Each device includes a display device that displays information, an input device such as a keyboard and a mouse that accepts user instruction input, and a communication I / F (interface) that controls communication with an external device. Connected by

  The device identification information is information assigned to each node in the data distribution system, and may be any information as long as each node can be identified. For example, a node ID (for example, the MAC ( Media Access Control) address, IP address, mail address), public key assigned to the node, public key certificate, subscriber ID in distribution service such as paid data distribution.

The secret information is information stored secretly by the key server 53, and is information for decrypting the encrypted piece encrypted by each node. For example, the secret information corresponding to the public key y _i x _i is an algorithm for deriving the secret key x _i from the device identification information, and parameters (for example, a part of the input) in the algorithm. The secret information may be held not only by the key server 53 but also by a reliable third party (for example, a service provider).

<Configuration of distribution start node>
Next, in the hardware configuration described above, various functions realized when the CPU of the node 50 that is the distribution start node executes various programs stored in the storage device or the external storage device will be described. FIG. 2 is a diagram illustrating a functional configuration of the node 50. The node 50 includes a unique information storage unit 500, a random number generation unit 501, a piece encryption unit 503, a piece conversion unit 504, a data transmission unit 505, and a transmission request reception unit 506. The unique information storage unit 500 is reserved as a storage area in an external storage device such as an HDD of the node 50, for example. The entity of the random number generation unit 501, the piece unit 504, the piece encryption unit 503, the data transmission unit 505, and the transmission request reception unit 506 is stored on a storage device such as a RAM when the CPU program of the node 50 is executed. Is generated. Note that distribution data is stored in advance in the external storage device of the node 50.

  The unique information storage unit 500 stores the node ID and public key assigned to the node 50. The piece unit 504 divides the distribution data into a plurality of pieces. The data size at the time of division is not particularly limited, but is assumed to be predetermined. The transmission request receiving unit 506 receives a piece request for requesting the piece divided by the piece forming unit 504 from the other node 51. When the transmission request reception unit 506 receives a piece request, the random number generation unit 501 generates a random number that is temporary information that can be different for each occurrence. The temporary information only needs to be a value that can be different every time it is generated at a node, and includes, for example, a random number, a time stamp, a communication sequence number, a counter value unique to the node, and a time variant parameter. The Time Variant Parameter is described in, for example, the document ISO9798-1.

  The piece encryption unit 503 encrypts the piece using the random number generated by the random number generation unit 501 and the public key stored in the unique information storage unit 500, and includes encrypted data including an encrypted piece (details will be described later) ) Is output. The data transmission unit 505 transmits the node ID stored in the unique information storage unit 500 and the encrypted data output by the piece encryption unit 503 to the other node 51 that has transmitted the piece request.

<Configuration of nodes other than the distribution start node>
Next, various functions realized when the CPU of the node 51 other than the distribution start node executes various programs stored in the storage device or the external storage device will be described. FIG. 3 is a diagram illustrating a functional configuration of the node 51. The node 51 includes a unique information storage unit 510, a random number generation unit 511, a piece encryption unit 513, a data reception unit 514, a data transmission unit 515, a transmission request reception unit 516, a data storage unit 517, a transmission A request transmission unit 518, a key request transmission unit 519, and a piece decryption unit 520 are included. The unique information storage unit 510 and the data storage unit 517 are reserved as storage areas in an external storage device such as an HDD of the node 51, for example. Random number generation unit 511, piece encryption unit 513, data reception unit 514, data transmission unit 515, transmission request reception unit 516, transmission request transmission unit 518, key request transmission unit 519, piece decryption unit 520 Is generated on a storage device such as a RAM when the CPU of the node 51 executes the program.

The unique information storage unit 510 stores the node ID and public key assigned to the node 51. The configuration of the transmission request receiving unit 516 is the same as the configuration of the transmission request receiving unit 506 included in the node 50 described above. The transmission request transmission unit 518 transmits a piece request for requesting a piece to the node 50 or another node 51. The data receiving unit 514 sends encrypted data including the encrypted piece in which the piece is encrypted from the node 50 or another node 51 to which the transmission request transmitting unit 518 has transmitted the piece request, and the encrypted piece of the encrypted piece. A node ID string including each node ID assigned to at least one other node 50, 51 that mediates transmission is received. The data storage unit 517 stores the node ID string received by the data reception unit 514 and the encrypted data in association with each other. Encrypted data refers to data including an encrypted piece and a calculation information sequence. The calculation information is information that is changed according to a random number (temporary information), and for example, C _{1, i} described later corresponds to the calculation information.

  The random number generation unit 511 generates a random number in advance when encrypting the encrypted piece to be transmitted. The piece encryption unit 513 further encrypts one encrypted piece stored in the data storage unit 517 using the random number generated by the random number generation unit 511 and the public key stored in the unique information storage unit 510. To generate a new encrypted piece, and output encrypted data including the new encrypted piece.

  The data transmission unit 515 transmits the node ID string stored in the data storage unit 517 in association with the encrypted piece to be transmitted to the other node 51 that has transmitted the piece request received by the transmission request reception unit 516. In addition, a new node ID string including the node ID stored in the unique information storage unit 510, and a new encryption output by the piece encryption unit 513 (encrypt the encrypted piece to be transmitted in the piece encryption unit 513) The encrypted data including the piece is transmitted. If the encrypted piece is not stored in the data storage unit 517, even if the transmission request receiving unit 516 receives the piece request, the piece encryption unit 513 cannot output the encrypted data including the encrypted piece. The data transmission unit 515 does not transmit the encrypted data including the encrypted piece.

Here, the node ID string transmitted from the nodes 50 and 51 and the encrypted data including the encrypted piece will be specifically described. Note that one node ID is transmitted from the node 50 to one encrypted piece together with this, but here, for convenience of explanation, this may be described as a node string. Here, a case will be described in which the encrypted piece is transmitted from the node 50 to the node 51A, the encrypted piece is transmitted from the node 51A to the node 51B, and the key request is transmitted from the node 51B to the key server 53. For example, in response to a piece request from the node 51A for a certain piece P, the node 50 encrypts the piece P by using the random number r ₀ and the public key y ₀ and encrypts the encrypted data C _1,0 including the encrypted piece. , C _2,0 and Y ₀ are output. Note that C _{1, i} , C _{2, i} , and Y _i mean encrypted data calculated by the node 51 that mediates the distribution of encrypted data i-th on the distribution path. The encrypted data C _1,0 , C _2,0 , and Y ₀ when i = 0 means encrypted data calculated by the node 50 that is the distribution start node.

Here, as shown in FIG. 4, a part (or all) of the piece P is expressed as m, and the remaining part other than m is expressed as R. Assume that the node 50 transmits the encrypted data together with the node ID “ID # 0” to the node 51A. FIG. 5 is a diagram schematically showing information transmitted from the node 50 to the node 51A. Here, a method of calculating the encrypted data C _1,0 , C _2,0 , Y ₀ will be described. First, define the parameters. Let p and q be prime numbers, and q be divisible by p-1. Let Zq = {0, 1,..., Q−1}. Let Zp * = {1,..., P−1}. Let g be the q root of 1 on Zp *. Let Gq be a multiplicative group that is a subgroup of Zp * and whose order is q. Each node is informed of the values of p, q, and g. Hereinafter, it is assumed that the calculation is performed on Zp * unless otherwise specified. The public key y _i assigned to the node whose node ID is “ID # i” is expressed by the following equation (1).

Here, x _i is a secret key corresponding to the public key y _i , but only the key server holds each x _i , and each node holds only the public key. The node 50 uses the random number r ₀ and the public key y ₀ to calculate the encrypted data C _1,0 , C _2,0 , Y _{0 according} to the following formulas (2) to (5).

C _1,0 is information whose value changes depending on the random number r ₀ . That is, C _1,0 has a value corresponding to the random number r ₀ . Here, H represents a hash function. The definition of the function KXOR (K, R) is as follows. Input of KXOR are key K and the data R, R is the expressed as _{R = R 1 || R 2 ||} ... || R n. || represents data concatenation. For 1 ≦ i ≦ n, 'calculated and the output R _1' R _i by the following equation (6) and _{|| R 2 '|| ... || R} n'. When there is no data corresponding to R, such as when m = P, or when KXOR processing is not performed on R, the calculation of Y ₀ and K ₀ is not performed, and the encrypted data is C _{1, 0} , C _2,0 .

In the calculation of C ₂ in equation (3), it is necessary to map m to Gq. The definition of such a map F is the following equation (7). Let p = 2q + 1.
F: Zq → QRp: F (a) = a ² mod p (7)

Here, QRp = {1 ² mod p, 2 ² mod p,..., Q ² mod p}. The m by calculating the F (m) is to map the original Gq (QRp in this example) may be replaced with m in the above equation for F (m) calculating a C _2. Further, the definition of the inverse map F ⁻¹ of F is the following equation (8).
F ⁻¹ : QRp → Zq: F ⁻¹ (b) = min (b ^{(p + 1) / 4} , −b ^{(p + 1) / 4} ) (8)

Here, min (x, y) represents the smaller of x and y. For example, when x <y, min (x, y) = x (when x = y, min (x, y) = x). When m is obtained from F (m), F ⁻¹ (F (m)) may be calculated. Hereinafter, description of the process for calculating the above-described mapping and inverse mapping is omitted. Note that R may be left without performing the above-described KXOR processing.

The node 51A stores these node IDs “ID # 0” and the encrypted data C _1,0 , C _2,0 , Y ₀ in the data storage unit 517 in association with each other.

When the node 51A transmits encrypted data including the encrypted piece for the piece P in response to the piece request from the node 51B, the node 51A generates a random number r ₁ and encrypts it using the public key y _1. The encrypted pieces C ₂ and Y ₀ are further encrypted by the following equations (9) to (12) to calculate the encrypted data C _1,1 , C _2,1 and Y ₁ .

C _1,1 is information (calculation information) whose value changes according to the random number r ₁ . At this time, the node 51A stores itself in the unique information storage unit 510 in addition to the node ID “ID # 0” assigned to the node 50, which is stored in the data storage unit 517 with respect to the node 51B. Node ID “ID # 1” assigned to, calculated information C _1,0 stored in the data storage unit 517, calculated information C _1,1 calculated in the above equation, and encrypted piece C _2,1 , Y ₁ are transmitted. FIG. 6 is a diagram schematically illustrating information transmitted from the node 51A to the node 51B. The node 51B associates the node ID string “ID # 0, ID # 1”, the calculation information string C _1,0 , C _1,1 , and the encrypted pieces C _2,1 , Y ₁ with the data storage unit. Store in 517.

Returning to the description of FIG. The key request transmission unit 519 transmits to the key server 53 a key request for requesting a decryption key for decrypting the encrypted piece stored in the data storage unit 517. Here, the key request transmission unit 519 transmits the node ID string and the calculation information string stored in the data storage unit 517 corresponding to the encrypted piece to the key server 53 by including them in the key request. For example, the key server 53 sends a key request for requesting a decryption key for decrypting the encrypted pieces C _2,1 and Y ₁ shown in FIG. 6 that is output when the node 51B performs encryption. , The key request transmission unit 519 of the node 51B transmits a key request including the node ID string “ID # 0, ID # 1” and the calculation information strings _{C1,0, C1,1} . FIG. 7 is a diagram schematically showing information transmitted from the node 51B to the key server 53. As shown in FIG. As described above, when the node 51 requests the key server 53 for a decryption key for decrypting the encrypted piece, the node 51 indicates the distribution path of the encrypted piece, with the node 50 that is the distribution start node as a base point. The node ID string including the node IDs of the nodes 50 and 51 that mediate the distribution of the encrypted pieces and the calculation information string calculated from the random numbers generated by the nodes 50 and 51 are transmitted to the key server 53.

  The piece decryption unit 520 receives, as a decryption key, data (D and D ′ described later) transmitted from the key server 53 in response to the key request transmitted by the key request transmission unit 519, and encrypts using the decryption key Decode the piece. Note that how the piece decoding unit 520 decodes the piece P will be described later. FIG. 8 is a diagram schematically showing information transmitted from the key server 53 to the node 51B. Piece P is decrypted with the decryption key shown in FIG. Note that how the key server 53 generates the decryption key will be described later.

  Note that the order in which the node 51 obtains each of the plurality of pieces from which node and from which node is not particularly limited, but as described above, the node 51 encrypts each of the plurality of pieces. Each encrypted piece is acquired from the other nodes 50 and 51 by a piece request. Further, the node 51 receives each decryption key from the key server 53 by a key request for each encrypted piece, and obtains the above-described distribution data by decrypting each encrypted piece.

<Key server configuration>
Next, various functions realized when the CPU of the key server 53 executes various programs stored in the storage device or the external storage device will be described. FIG. 9 is a diagram illustrating a functional configuration of the key server 53. The key server 53 includes a secret key storage unit 530, a decryption key calculation unit 532, a data reception unit 531, and a data transmission unit 534. The secret key storage unit 530 is secured as a storage area in an external storage device such as an HDD of the key server 53, for example. The entities of the decryption key calculation unit 532, the data reception unit 531, and the data transmission unit 534 are generated on a storage device such as a RAM when the CPU program of the key server 53 is executed.

  The secret key storage unit 530 stores the secret keys corresponding to the public keys assigned to the nodes 50 and 51 in association with the node IDs assigned to the nodes 50 and 51, respectively. The data reception unit 531 receives a key request including the above-described node ID string and calculation information string from the node 51 and requests a decryption key for decrypting the encrypted piece.

Processing in the decryption key calculation unit 532 will be described using the above-described example (an example in which an encrypted piece is distributed from the node 50 to the node 51A and further from the node 51A to the node 51B, and the node 51B requests a key to the key server 53). . ID # 0, ID # 1, C 1,0, the key server 53 that has received the C _{1, 1} is a public key assigned to the private key x ₀ and the node 51A corresponding to the public key assigned to the node 50 corresponding with the private key x _1, the following equation (13), calculates the D, D 'by (14).

Here, the decoding process in the node 51B will be described. The node 51B uses the above formulas D and D ′ and the encrypted pieces C _2,1 and Y ₁ to obtain a piece P according to the following formulas (15) and (16).

The above-described encryption method is based on the ElGamal encryption method. In this encryption method, the secret keys x ₀ and x ₁ corresponding to the public keys y ₀ and y ₁ of the node 50 and the node 51A, respectively, which are used for piece encryption, utilizing the homomorphism of the ElGamal encryption method. Are combined into one decryption key D. As a result, the decryption key size can be kept constant even when the number of nodes through which the encrypted piece passes increases. Therefore, the amount of data transmitted from the key server can be reduced. The applicable encryption method is not limited to the ElGamal encryption method. Further, the number of decryption keys to be aggregated is not limited to one. In other words, any scheme can be applied as long as the secret key corresponding to each node's public key can be aggregated into a predetermined number of decryption keys.

  The data transmission unit 534 transmits the decryption key calculated by the decryption key calculation unit 532 to the node 51 that transmitted the key request received by the data reception unit 531. For example, in the above example, when the node 51A performs encryption, the key server 53 is shown in FIG. 8 in response to the key request including the node ID string and the calculation information string shown in FIG. Thus, D and D ′ are transmitted to the node 51B. By transmitting a decryption key for decrypting each encryption performed on the piece to the node 51B, the node 51B can completely decrypt the encryption of the encrypted piece.

(2) Operation <Distribution start node: distribution processing>
Next, a procedure of processing performed in the data distribution system according to the present embodiment will be described. First, the procedure of the distribution process performed by the node 50 that is the distribution start node will be described with reference to FIG. The node 50 divides the distribution data into a plurality of pieces (step S1). Then, the node 50 receives a piece request for requesting the piece from another node 51 (step S2: YES), generates a random number r ₀ (step S3). Next, the node 50 encrypts the piece P to be transmitted using the random number r ₀ and the public key y ₀ stored in the unique information storage unit 500, and outputs encrypted data including the encrypted piece. (Step S4). In addition, how to determine the piece to be transmitted is not particularly limited. Then, the node 50 transmits the node ID “ID # 0” stored in the unique information storage unit 500 to the other node 51 that has transmitted the piece request received in step S2, for example, as shown in FIG. ”, The random number r ₀ generated in step S3, and the encrypted data output in step S4 (step S5). Thereafter, the process returns to step S2, and the node 50 waits for reception of a new piece request. Note that the piece requests received in step S2 are not necessarily the same node 51, and the pieces P requested by the piece requests are not necessarily the same piece. Further, the random number generated in step S3 basically differs for each process in step S3.

<Reception processing>
Next, a reception processing procedure in which the node 51 receives an encrypted piece from the node 50 or another node 51 will be described with reference to FIG. The node 51 transmits a piece request for requesting a piece to the node 50 or another node 51 (step S10). Next, the node 51 receives the node ID string and the encrypted data from the node 50 or the other node 51 that is the partner that transmitted the piece request in step S10 (step S11). Then, the node 51 stores the node ID string received in step S11 and the encrypted data in association with each other (step S12).

<Nodes other than the distribution start node: distribution processing>
Next, the procedure of the distribution process performed by the nodes 51 other than the distribution start node will be described with reference to FIG. When the node 51 receives a piece request for requesting a piece from another node 51 (step S20: YES), the node 51 generates a random number (step S21). Next, the node 51 is an encrypted piece obtained by encrypting a piece P using the random number generated in step S21 and the public key stored in the unique information storage unit 510, and is stored in the data storage unit 517. The encrypted piece is further encrypted, and a new encrypted piece is output (step S22). Thereafter, the node 51 transmits the unique information in addition to the node ID stored in the data storage unit 517 in association with the encrypted piece to be transmitted to the other node 51 that has transmitted the piece request received in step S20. In addition to the new node ID string including the node ID stored in the storage unit 510 and the calculated information stored in the data storage unit 517 in association with the encrypted piece to be transmitted, at the time of encryption in step S22 A new calculation information sequence including the generated calculation information and the new encrypted piece output in step S22 are transmitted (step S23).

<Decryption process>
Next, a procedure of decryption processing in which the node 51 obtains a decryption key from the key server 53 and decrypts the encrypted piece using the decryption key will be described with reference to FIG. The node 51 reads the node ID string and the calculation information string associated with the encrypted piece stored in the data storage unit 517 (step S30), and requests a decryption key for decrypting the encrypted piece. Then, a key request including the node ID string and the calculation information string is transmitted to the key server 53 (step S31). Next, the node 51 receives the decryption key transmitted from the key server 53 in response to the key request transmitted in step S30 (step S32), and decrypts the encrypted piece using the decryption key (step S33). . Thus, each node 51 receives each decryption key from the key server 53 by a key request for each encrypted piece in which each of the plurality of pieces is encrypted, and decrypts each encrypted piece, thereby Distribution data can be obtained.

<Key server: Key transmission processing>
Next, a key transmission process procedure in which the key server 53 transmits a decryption key in response to a key request from the node 51 will be described with reference to FIG. When the key server 53 receives a key request (a request for a decryption key for decrypting an encrypted piece) including the node ID string and the calculation information string from the node 51 (step S40: YES), the key server 53 is included in the received key request. The secret key associated with each node ID included in the node ID string and stored in the secret key storage unit 530 is read for each node ID (step S41). Then, the key server 53 calculates a decryption key using the secret key read in step S41 and the calculation information received in step S40 (step S42). Next, the key server 53 transmits the decryption key generated in step S42 to the node 51 that transmitted the key request received in step S40 (step S43).

  According to the above configuration, a combination of encrypted pieces acquired by a certain node is unique to the distribution route and the distribution time, and can be surely unique. According to such a configuration, the uniqueness of each node can be reliably increased for each combination of encrypted pieces acquired by each node without special measures regarding the distribution method in P2P distribution. Can be improved. Furthermore, it becomes possible to maintain the independence between the data protection and the data distribution method, and the degree of freedom in system construction can be improved. In addition, as described above, since a plurality of secret keys respectively corresponding to a plurality of public keys used in encryption by a plurality of nodes can be aggregated into one decryption key and used for decryption, Even when the number of nodes passing through increases, the size of the decryption key can be kept constant, and the amount of data transmitted from the key server can be reduced.

[Modification]
Note that the present invention is not limited to the above-described embodiment as it is, and can be embodied by modifying the constituent elements without departing from the scope of the invention in the implementation stage. Moreover, various inventions can be formed by appropriately combining a plurality of constituent elements disclosed in the embodiment. For example, some components may be deleted from all the components shown in the embodiment. Furthermore, constituent elements over different embodiments may be appropriately combined. Further, various modifications as exemplified below are possible.

<Modification 1>
In the above-described embodiment, various programs executed in each node 50 may be stored on a computer connected to a network such as the Internet and provided by being downloaded via the network. In addition, the program is recorded in a computer-readable recording medium such as a CD-ROM, a flexible disk (FD), a CD-R, a DVD (Digital Versatile Disk) in a file in an installable or executable format. You may comprise so that it may provide. In this case, the program is loaded onto the main storage device (for example, RAM) by being read from the recording medium at each node 50 and executed, and each unit described in the functional configuration is generated on the main storage device. The The same applies to various programs executed by the key server 53.

  In the above-described embodiment, all or part of the units described in the functional configuration of each node 50 may be configured by hardware. The same applies to all or some of the components described in the functional configuration of the key server 53.

<Modification 2>
In the first embodiment, the example in which the encrypted piece is further encrypted in each node has been described. However, the present invention is not limited to this, and the received encrypted piece may be transferred to another node as it is. Further, only the distribution start node may perform encryption. Hereinafter, an example in which only the distribution start node performs encryption will be described. Hereinafter, only the points different from the first embodiment will be described, and the description thereof will be omitted when the same processing as that of the first embodiment is performed. (The same applies to other modifications described later.)

Each node is given a secret key x _i 'in advance. The key server 53 holds z and each x _i that satisfy the following expression (17).

The node 50 generates a random number r and calculates encrypted data by the following equations (18) and (19).

Each node distributes the encrypted data C ₁ and C ₂ via the P2P network. The node 51B transmits a decryption key request message including E represented by the following equation (20) to the key server 53. The key server 53 calculates D by the following equation (21) and transmits it to the node 51B.

The node 51B that receives D decrypts the encrypted piece according to the following equation (22).

<Modification 3>
In the first embodiment, the example has been described in which the key server 53 transmits the decryption key D as it is. However, the key server 53 may transmit the data after encrypting D. Thereby, the decryption key can be protected from eavesdropping. The node 51B generates a random number t ₂ and transmits a decryption key request message including E represented by the following expression (23) to the key server 53 in addition to the node ID string C _1,0 and C _1,1. To do.

The key server 53, the decryption key D as with the first embodiment calculates, calculates the D _e in the following (24), and transmits the D _e to node 51B.

Node 51B which receives the D _e decrypts the encrypted piece by the following equation (25).

As the method of generating the D _e, it may be used a common key cryptosystem. That is, D _e may be obtained by encrypting D using g ^ t ₂ as a common key.

<Modification 4>
In the first embodiment, the example in which the encryption is performed on the multiplicative group of the finite field has been described. However, the present invention is not limited to this, and the encryption may be performed on the additive group including points on the elliptic curve. An example in which encryption is performed on an additive group consisting of points on an elliptic curve will be described below. Let G be the base point on the elliptic curve. The public key y _i given to each node is expressed as y _i = x _i G. The node 50 performs encryption processing according to the following equations (26) to (29).

Here, [A] _x represents the x coordinate of the point A on the elliptic curve. The node 51A performs encryption processing according to the following equations (30) to (33).

The key server 53 calculates the decryption keys D and D ′ by the following equations (34) and (35), and transmits them to the node 51B.

<Modification 5>
In the fourth modification, an example in which m is treated as a scalar has been described. However, the present invention is not limited to this, and encryption may be performed by converting m into a point M on an elliptic curve. Hereinafter, an example of performing encryption by converting m to a point M on the elliptic curve will be described. Only differences from Modification 4 are described. The function Plus and the function Minus are defined as follows. Either Definition 1 or Definition 2 may be adopted.
(Definition 1) Plus (A, B) represents addition of a vector of length 2 on point p and point B on mod p (p is a prime number). In this case, Minus (A, B) represents the subtraction of a vector of length 2 on mod p.
(Definition 2) Plus (A, B) represents point addition of A and B. In this case, Minus (A, B) represents the point addition of the inverse element B of B and A.

The node 50 converts m into a point M, and performs encryption processing according to the following equations (36) to (39).

  The method of converting m to point M or converting point M to m is, for example, “Standards for Efficient Cryptography, SEC 1: Elliptic Curve Cryptography, Version 1.0, September 20, 2000. (http: //www.secg .org / download / aid-385 / sec1_final.pdf) ".

The node 51A performs encryption processing according to the following equations (40) to (43).

The key server 53 calculates the decryption keys D and D ′ by the following equations (44) and (45), and transmits them to the node 51B. The node 51B calculates the point M according to the following equation (46), and converts the point M to m.

<Modification 6>
In the fourth modification, an example in which encryption is performed on an additive group consisting of points on an elliptic curve has been described. This may be applied to the second modification. Hereinafter, an example in which encryption is performed on an additive group composed of points on an elliptic curve in Modification 2 will be described. Only differences from Modification 4 are described.

The node 50 generates a random number r, converts m into a point M, and calculates encrypted data according to the following equations (47) and (48).

Each node distributes the encrypted data C ₁ and C ₂ via the P2P network. The node 51B transmits a decryption key request message including E expressed by the following equation (49) to the key server 53.

The key server 53 calculates D by the following equation (50) and transmits it to the node 51B.

The node 51B that receives D calculates the point M by the following equation (51), and converts the point M to m.

<Modification 7>
In the fourth modification, an example in which encryption is performed on an additive group consisting of points on an elliptic curve has been described. This may be applied to the third modification. Hereinafter, an example in which the encryption is performed on an additive group composed of points on an elliptic curve in Modification 3 will be described. Only differences from Modification 4 are described. The node 51B generates a random number t ₂ and transmits a decryption key request message including E represented by the following expression (52) to the key server 53 in addition to the node ID string C _1,0 and C _1,1. To do.

The key server 53, the decryption key D is calculated by the following equation (53), further (54) calculating a D _e by formula. And sends D _e to node 51B.

Node 51B which receives the D _e calculates the D by the following equation (55).

The node 51B calculates M by the following equation (56) and converts M to m.

As the method of generating the D _e, it may be used a common key cryptosystem. That is, D _e may be obtained by encrypting D using t ₂ G as a common key.

<Modification 8>
Each node may be selected to perform the KXOR process described above. In this case, in order to identify which node has performed the KXOR process in the key server 53, each node should transmit the node ID string of the node that has performed the KXOR process separately from the above-described node ID string. good.

Further, instead of the function KXOR described above, a function KXOR ′ function defined below may be used. Input KXOR 'are key K and the data R, R is the expressed as _{R = R 1 || R 2 ||} ... || R n. For 1 ≦ i ≦ n, R _i ′ is calculated by Z _i = s * Z _i−1 + t, Z ₀ = K, and the following equation (57), and the output is R ₁ '|| R ₂ ' || ... || R _n '. In this modification, “*” and “+” represent multiplication and addition on the extension field, respectively. Although s and t are constants, both s and t may be fixed to the system, s may be changed for each distribution data, and t is for each distribution data, for each node, or for each distribution data and for each node. It may be changed to

<Modification 9>
The relationship between the piece P and m, which is part of the data, is not limited to the example shown in FIG. 4, but may be P = m as shown in FIG. In this case, Y _i and K _i are not calculated. Further, as shown in FIG. _{16, P = m 1 || m} 2 || ... may || m _N. In this case, the encrypted data is calculated for each m _i (without calculating Y _i and K _i ). In this case, each node may not be encrypted necessarily all m _i.

Here, as shown in FIG. 17, at which a _{P = m 1 || m 2 ||} ... || m N || R, ( at node 51B) of the decryption key node 51B receives from the key server 53 The storage format will be described. The node 51B of the first embodiment may have a decryption key storage unit for storing a decryption key. FIG. 18 is a diagram illustrating a functional configuration of the node 1851 of the present modification configured as described above. As shown in the figure, the node 1851 further includes a decryption key storage unit 18521. The decryption key storage unit 18521 may be realized by a removable recording medium such as an SD memory card or an SDHC memory card. In particular, it is desirable to store the decryption key in a secret area of a removable recording medium such as an SD memory card or an SDHC memory card. Let D _{i be} the decryption key for decrypting m _i , and D ″ be the decryption key for decrypting R. The calculation method of D _i is the same as the above equation (13). The calculation method of D ″ is the same as the above equation (14).

An example of the storage format of the decryption keys D ₁ , D ₂ ,..., D _N , D ″ in the decryption key storage unit 18521 is shown in FIG. The node 51B stores the decryption key received from the key server 53 in the decryption key storage unit 18521. Then, the node 51B reads the decryption key from the decryption key storage unit 18521, performs the same calculation as the above formulas (15) and (16), and decrypts the encrypted piece.

<Modification 10>
The piece encryption method in the first embodiment can be regarded as an application of the ElGamal encryption method, but is not limited to this, and is not limited to “R. Cramer and V. Shoup,“ A Practical Public Key Cryptosystem Provably Secure. The Cramer-Shoup encryption method disclosed in “Adaptive Chosen Ciphertext Attack,” Proc. CRYPTO '98, LNCS 1462, Springer-Verlag, pp. 13-25, 1998 ”may be applied to the piece encryption method.

First, an overview of the Cramer-Shoup cryptosystem will be described.
(Key generation) As in the first embodiment, prime numbers p and q are generated. Random elements g ₁ and g ₂ of Gq are selected, and secret keys x ₁ , x ₂ , y ₁ , y ₂ and z (all elements of Zq) are generated. Public keys g ₁ , g ₂ , c, d, h corresponding to the secret key are generated. Here, c, d, and h are defined by the following equations (58) to (60).

(Encryption) Select an element of Zq at random, and let the selected element be r. The plaintext m that is an element of Gq is encrypted by the following formulas (61) to (65) to obtain ciphertexts u ₁ , u ₂ , e, and v. Here, H is a hash function.

(Decoding) a is calculated by the following equation (66).

Next, it is checked whether the following expression (67) is satisfied using the secret key.

If the inspection passes, the plaintext m is calculated by the following equation (68) using the secret key. If the inspection fails, a message indicating that the ciphertext is invalid is issued and the processing is terminated.

Next, a case where this is applied to the first embodiment (an example in which an encrypted piece is distributed from the node 50 to the node 51A and the node 51B and the node 51B requests the decryption key from the key server 53) will be described. . The key server 53 includes secret keys x _{1, i} , x _{2, i} , y _{1, i} corresponding to the public keys g ₁ , g ₂ , c _i , d _i , h _i (= g ₁ ^zi ) of each node, respectively. , Y _{2, i} , know z _i . Here, c _i , d _i , and h _i are expressed by the following formulas (69) to (71).

In addition to the public keys g ₁ , g ₂ , c _i , d _i , h _i , each node is also given a secret key x _{1, i} , x _{2, i} , y _{1, i} , y _{2, i,} respectively. In the ciphertexts u ₁ , u ₂ , e, v, C _1,0 in the above equation (2) corresponds to u ₁ , u ₂ , v, and C _2,0 in the above equation (3) corresponds to e. Can be considered. The public key of the node 51A is expressed as g ₁ , g ₂ , c ₁ , d ₁ , h ₁ . The distribution start node 50 generates a random number r ₀ and performs encryption according to the following formulas (72) to (78).

Here, u _{1, i} , u _{2, i} , a _i , v _i , e _i , Y _i , and K _i are calculated by the node 51 that mediates the distribution of the encrypted data i-th on the distribution path. Data. The data u _1,0 , u _2,0 , a ₀ , v ₀ , e ₀ , Y ₀ , K ₀ when i = 0 means data calculated by the node 50 that is the distribution start node. .

The node 50 does not have to transmit its node ID to the node 51A when transmitting the encrypted data to the node 51A. The public key of the node 51B is expressed as g ₁ , g ₂ , c ₂ , d ₂ , h ₂ . The node 51A verifies the above equation (67) using the received encrypted data and its own private key. If the inspection is passed, a random number r ₁ is generated, and encryption is performed according to the following equations (79) to (85). If the inspection fails, a message indicating that the encrypted data is invalid is issued and the process ends.

When the node 51A transmits the encrypted data to the node 51B, the node 51A transmits its own node ID to the node 51B. When the node 51B transmits the decryption key request message to the key server 53, the node 51B transmits the node ID of the node 51A and its own node ID as a node ID string to the key server 53. The key server 53 that has received u _1,0 , u _1,1 and the node ID string from the node 51B calculates the decryption key according to the following equations (86) and (87), and uses the decryption keys D and D ′ as the nodes. To 51B.

The node 51B may transmit u _2,1 , e ₁ , v ₁ to the key server 53 in addition to u _1,0 , u _1,1 and the node ID string. In this case, the key server 53 also verifies the above equation (67). That is, the key server 53 performs verification of the expression (67) using the received encrypted data and the secret key of the node 51B. If the inspection passes, the decryption keys D and D ′ are transmitted to the node 51B. If the inspection fails, a message indicating that the encrypted data is invalid is issued and the process ends. Decoding in the node 51B is performed by the following equations (88) and (89).

<Modification 11>
The piece encryption method in the first embodiment can be regarded as applying the ElGamal encryption method. However, the present invention is not limited to this, and the RSA encryption method may be applied to the piece encryption method.

First, an outline of the RSA encryption method will be described.
(Key generation) Generate prime numbers p and q, and calculate N = pq. Next, e in which the greatest common divisor with (p-1) (q-1) is 1 is selected at random. Then, d which becomes edo1 (mod (p-1) (q-1)) is calculated. Here, aob (mod N) represents that the difference a−b between the integers a and b is 0 or a multiple of the positive integer N. The public key is (e, N) and the corresponding private key is d.

(Encryption) Using the public key, plaintext m (m is an integer satisfying 0 ≦ m ≦ N−1) is encrypted by the following equation (90) to obtain ciphertext C.

(Decryption) The plaintext m is calculated by the following equation (91) using the secret key d.

Next, a case where this is applied to the first embodiment (an example in which an encrypted piece is distributed from the node 50 to the node 51A and the node 51B and the node 51B requests the decryption key from the key server 53) will be described. . The public key that can be given to each node is (e _i, N). The key server 53 holds all the secret keys d _i (e _i d _i o1 (mod (p−1) (q−1))) corresponding to the public keys that can be given to each node. The key server 53 knows the values of p and q. The distribution start node 50 encrypts m by the following equation (92) using the public key e ₀ . Here, C _i means an encrypted piece calculated by the node 51 that mediates the distribution of encrypted data i-th on the distribution path. The encrypted piece C ₀ when i = 0 means an encrypted piece calculated by the node 50 that is the distribution start node.

The node 50 transmits its node ID “ID # 0” and the encrypted piece C ₀ to the node 51A. The node 51A further encrypts C ₀ by the following equation (93) using the public key e ₁ .

Node 51A transmits the node ID column "ID # 0, ID # 1" and the encrypted piece C ₁ to node 51B. The node 51B transmits a decryption key request message including the node ID string “ID # 0, ID # 1” received from the node 51A to the key server 53. The key server 53 calculates the decryption key D by the following equation (94).

Decoding at the node 51B is performed by the following equation (95).

<Modification 12>
In the first embodiment, the key server 53 holds the secret key x _i corresponding to the public key of each node. However, the present invention is not limited to this, and the node ID “ID # i” of each node is used. Only the derivation algorithm (for example, the function F represented by the following equation (96)) may be stored so that the secret key x _i is derived from.
x _i = F (ID # i, Kmaster) (96)

F（ｘ，ｙ）＝H（ｘ || ｙ） ・・・（９９） As the function F, for example, any of the following expressions (97), (98), and (99) may be used. In the above equations (97), (98), and (99), “ID # i” is substituted for x, and the secret key “Kmaster” of the key server 53 is substituted for y.

F (x, y) = H (x || y) (99)

  In Expression (97), E represents an encryption function, and E (Key) [X] represents that X is encrypted with Key. In Expression (98), D represents a decryption function, and D (Key) [X] represents that X is decrypted with Key. That is, 'C = D (Key) [E (Key) [C]]'. In Expression (99), H represents a hash function, and || represents data concatenation. In this way, it is not necessary to store the secret key corresponding to the public key of each node in the key server 53, and the storage capacity in the key server 53 can be saved.

It is a figure which shows the structure of the data delivery system concerning 1st Embodiment. It is a figure which illustrates the functional structure of the node 50 concerning the embodiment. It is a figure which illustrates the functional structure of the node 51 concerning the embodiment. It is a figure which shows typically the information transmitted to the node 51A from the node 50 concerning the embodiment. It is a figure which shows typically the piece concerning the embodiment. It is a figure which shows typically the information transmitted to the node 51B from the node 51A concerning the embodiment. It is a figure which shows typically the information transmitted to the key server from the node 51B concerning the embodiment. It is a figure which shows typically the information transmitted to the node 51B from the key server concerning the embodiment. It is a figure which illustrates the functional structure of the key server concerning the embodiment. It is a flowchart which shows the procedure of the delivery process which the node 50 which is a delivery start node concerning the embodiment performs. 4 is a flowchart showing a procedure of a reception process in which a node 51 according to the embodiment receives an encrypted piece from a node 50 or another node 51. It is a flowchart which shows the procedure of the delivery process which nodes 51 other than the delivery start node concerning the embodiment perform. It is a flowchart which shows the procedure of the decoding process which the node 51 concerning the embodiment acquires a decoding key from a key server, and decodes an encryption piece using this. 4 is a flowchart showing a procedure of key transmission processing in which the key server according to the embodiment transmits a decryption key in response to a key request from a node 51. It is a figure which shows typically the piece concerning the embodiment. It is a figure which shows typically the piece concerning the embodiment. It is a figure which shows typically the piece concerning the embodiment. It is a figure which illustrates the functional structure of the node 1851 concerning the embodiment. It is a figure which illustrates the storage format of the decryption key concerning the embodiment.

Explanation of symbols

50, 51, 51A, 51B Node 53 Key server 500 Unique information storage unit 501 Random number generation unit 503 Piece encryption unit 504 Piece generation unit 505 Data transmission unit 506 Transmission request reception unit 510 Unique information storage unit 511 Random number generation unit 513 Piece encryption Generating unit 514 data receiving unit 515 data transmitting unit 516 transmission request receiving unit 517 data storing unit 518 transmission request transmitting unit 519 key request transmitting unit 520 piece decrypting unit 530 secret key storing unit 531 data receiving unit 532 decrypting key calculating unit 534 data transmission Part 18521 Decryption Key Calculation Part NT P2P Network

Claims (18)

A communication device that encrypts and transmits a piece that is part of data,
Receiving means for receiving a first encrypted piece which is a piece encrypted with a first encryption key assigned to another communication device, and first device identification information for identifying the other communication device;
Storage means for storing a second encryption key assigned to the communication device;
Encryption means for generating a second encrypted piece obtained by further encrypting the first encrypted piece using the second encryption key;
Transmitting means for transmitting the second encrypted piece, the first device identification information, and the second device identification information for identifying the communication device;
A communication apparatus comprising: The first encrypted piece is a predetermined number of pieces calculated based on a plurality of pieces of secret information corresponding to each of the plurality of encryption keys used for encryption. Encrypted with the first encryption key determined by an encryption method that can be decrypted with a decryption key;
The storage means stores the second encryption key determined by the encryption method;
The communication apparatus according to claim 1. The receiving means receives the first encrypted piece, the first device identification information, and the first calculation information calculated by the other communication device when encrypting the first encrypted piece. ,
Further comprising: a calculation means for generating temporary information that can be different for each generation, and calculating second calculation information having a value corresponding to the temporary information;
The encryption means generates a second encrypted piece obtained by further encrypting the first encrypted piece using the temporary information and the second encryption key,
The transmission means transmits the second encrypted piece, the first device identification information, the second device identification information, the first calculation information, and the second calculation information;
The communication apparatus according to claim 1. The receiving means includes the first cipher encrypted with the first cipher key y _j (0 ≦ j ≦ i−1) assigned to i (i is a natural number of 1 or more) the other communication devices. Receiving the control piece C _{2, i-1} , the first device identification information, and the first calculation information C _{1, i-1} .
The storage means stores the second encryption key y _i determined by the encryption method,
The calculating means, the generating the temporary information r _i, the second calculation information C _{1, i} is calculated by the following formula (1) having a value corresponding to the temporary information r _i,
Said encryption means, the temporary information r _i and the second encryption key y _i and the second encrypted piece C _2, which was further encrypting the first encrypted piece C _{2, i-1} with _i Is generated by the following equation (2):
The communication device according to claim 3.

(Where g is the qth root of 1 on Zp * = {1,..., P−1}, p and q are prime numbers, and q is divisible by p−1) The receiving means includes the first cipher encrypted with the first cipher key y _j (0 ≦ j ≦ i−1) assigned to i (i is a natural number of 1 or more) the other communication devices. Receiving the control piece C _{2, i-1} , the first device identification information, and the first calculation information C _{1, i-1} .
The storage means stores the second encryption key y _i determined by the encryption method,
The calculating means, the generating the temporary information r _i, the second calculation information C _{1, i} is calculated by the following equation (3) having a value corresponding to the temporary information r _i,
Said encryption means, the temporary information r _i and the second encryption key y _i and the second encrypted piece C _2, which was further encrypting the first encrypted piece C _{2, i-1} with _i Is generated by the following equation (4):
The communication device according to claim 3.

(Where G is the base point on the elliptic curve, [A] _x is the x coordinate of point A on the elliptic curve) The receiving means includes the first cipher encrypted with the first cipher key y _j (0 ≦ j ≦ i−1) assigned to i (i is a natural number of 1 or more) the other communication devices. Receiving the control piece C _{2, i-1} , the first device identification information, and the first calculation information C _{1, i-1} .
The storage means stores the second encryption key y _i determined by the encryption method,
The calculating means, the generating the temporary information r _i, the second calculation information C _{1, i} is calculated by the following formula (1) having a value corresponding to the temporary information r _i,
Said encryption means, the temporary information r _i and the second encryption key y _i and the second encrypted piece C _2, which was further encrypting the first encrypted piece C _{2, i-1} with _i Is generated by the following equation (2):
The communication device according to claim 3.

(However, Plus (A, B) is the addition of a vector of length 2 on mod p (p is a prime number) between point A and point B on the elliptic curve, or point A and point on the elliptic curve. (Represents point addition with B) The receiving means includes the first encryption keys (g _1, g _2, c _j, d _j, h _j ) (0 ≦ j) assigned to i (i is a natural number of 1 or more) the other communication devices. ≦ i−1), the first encrypted piece e _i−1 , the first device identification information, and the first calculation information (u _{1, i−1,} u _{2, i−1,} v _i-1 ), and receive
It said storage means, said second encryption key defined by the encryption method _{(g 1, g 2, c} i, d i, h i) stores,
The encryption means further encrypts the first encrypted piece e _i-1 using the temporary information r _i and the second encryption key (g _1, g _2, c _i, d _i, h _i ). The encrypted second encrypted piece e _i is generated by the following equation (7):
The calculation means generates the temporary information r _i and uses the second calculation information (u _{1, i,} u _{2, i,} v _i ) having a value corresponding to the temporary information r _i as the following (8): Calculating by the equation (11),
The communication device according to claim 3.

(Where H represents a predetermined hash function) The reception means, i pieces (i is a natural number of 1 or more) said encrypted with the first said assigned to other communication device encryption key e _j and N (0 ≦ j ≦ i- 1) a 1 encrypted piece C _i-1 and the first device identification information are received,
The storage means stores the second encryption keys e _i and N determined by the encryption method,
Said encryption means is generated by the second encryption key e _i and the first encrypted using the N pieces C _i-1 further encrypted follows the second encrypted piece C _i (12) Formula To do,
The communication apparatus according to claim 1.

(However, N = pq (p and q are prime numbers) The receiving means receives the first encrypted piece partially encrypted with the first encryption key and the first device identification information;
The encryption means generates the second encrypted piece obtained by further encrypting a portion of the first encrypted piece encrypted by the first encryption key, using the second encryption key;
The communication apparatus according to claim 1. The receiving means includes the first encrypted piece in which a portion other than the portion encrypted by the first encryption key is encrypted by another encryption method different from the encryption method, the first device identification information, Receive,
The encryption means further encrypts a portion of the first encrypted piece encrypted by the first encryption key using the second encryption key, and the first encrypted piece includes the first encrypted piece. Generating the second encrypted piece obtained by further encrypting a part other than the part encrypted by the encryption key by the other encryption method;
The communication device according to claim 9. The transmitting means further transmits a key request including the first device identification information to request a decryption key for decrypting the first encrypted piece to the server device,
The receiving means further receives a decryption key for decrypting the first encrypted piece from the server device,
Further comprising decryption means for decrypting the first encrypted piece using the received decryption key;
The communication apparatus according to claim 1. A key request for requesting a decryption key for decrypting an encrypted piece that is an encrypted piece, the key request including the device identification information of the communication device mediating delivery of the encrypted piece Receiving means for receiving from the communication device;
Key generation means for generating the decryption key using each device identification information included in the key request;
Transmitting means for transmitting the generated decryption key to the communication device that transmitted the key request;
A server device comprising: Storage means for storing secret information assigned to each of a plurality of communication devices that encrypt and transmit a piece that is a part of data and device identification information assigned to each of the communication devices in association with each other Prepared,
The key generation means generates the decryption key using the secret information stored in association with each device identification information included in the key request;
The server device according to claim 12. The encrypted piece is a predetermined number of pieces of decryption calculated based on a plurality of pieces of secret information corresponding to a plurality of encryption keys used for encryption of pieces encrypted with a plurality of encryption keys. It is encrypted with an encryption key defined by an encryption method that can be decrypted with a key,
The key generation means generates the number of the decryption keys using the secret information stored in association with each of the device identification information included in the key request;
The server device according to claim 12 or 13, characterized in that: The receiving means receives from the communication device the key request further including calculation information calculated based on temporary information that may be different for each generation and an encryption key assigned to the communication device;
The key generation means encrypts the decryption key generated using the secret information stored in association with each device identification information included in the key request, using the calculation information,
The transmitting means transmits the encrypted decryption key to the communication device that transmitted the key request;
The server device according to claim 12 or 13, characterized in that: A communication method executed by a communication device that encrypts and transmits a piece that is a part of data,
Reception in which the receiving means receives a first encrypted piece that is a piece encrypted with a first encryption key assigned to another communication device, and first device identification information for identifying the other communication device. Steps,
An encryption step for generating a second encrypted piece obtained by further encrypting the first encrypted piece by using a second encryption key assigned to the communication device stored in the storage unit;
A transmission step of transmitting the second encrypted piece, the first device identification information, and the second device identification information for identifying the communication device;
A communication method comprising: A communication device that encrypts and transmits a piece that is a part of data,
Receiving means for receiving a first encrypted piece which is a piece encrypted with a first encryption key assigned to another communication device, and first device identification information for identifying the other communication device;
Storage means for storing a second encryption key assigned to the communication device;
Encryption means for generating a second encrypted piece obtained by further encrypting the first encrypted piece using the second encryption key;
Transmitting means for transmitting the second encrypted piece, the first device identification information, and the second device identification information for identifying the communication device;
Communication program to function as Computer
A key request for requesting a decryption key for decrypting an encrypted piece that is an encrypted piece, the key request including the device identification information of the communication device mediating delivery of the encrypted piece Receiving means for receiving from the communication device;
Key generation means for generating the decryption key using each device identification information included in the key request;
Transmitting means for transmitting the generated decryption key to the communication device that transmitted the key request;
Communication program to function as

Images